Bass v. Facebook, Inc.

• Decision Date: 21 June 2019
• Docket Number: Consolidated Cases: Nos. C 18-06022 WHA (JSC),No. C 18-05982 WHA (JSC), C 19-00117 WHA (JSC),C 18-05982 WHA (JSC)
• Citation: 394 F.Supp.3d 1024
• Parties: William BASS Jr., an individual and California resident, and Stephen Adkins, an individual and Michigan resident, on behalf of themselves and all others similarly situated, Plaintiffs, v. FACEBOOK, INC., Defendant.
• Court: U.S. District Court — Northern District of California

394 F.Supp.3d 1024

William BASS Jr., an individual and California resident, and Stephen Adkins, an individual and Michigan resident, on behalf of themselves and all others similarly situated, Plaintiffs,

v.FACEBOOK, INC., Defendant.

No. C 18-05982 WHA (JSC)

Consolidated Cases: Nos. C 18-06022 WHA (JSC)

C 19-00117 WHA (JSC)

United States District Court, N.D. California.

Signed June 21, 2019

Andrew N. Friedman, Pro Hac Vice, Karina Grace Puttieva, Cohen Milstein Sellers & Toll PLLC, Washington, DC, Ariana J. Tadler, Henry J. Kelston, Milberg Tadler Phillips Grossman LLP, New York, NY, John A. Yanchunis, Morgan & Morgan Complex Litigation Group, Tampa, FL, Jeremy Keith Robinson, Casey Gerry Schenk Francavilla Blatt and Penfield, San Diego, CA, Kate M. Baxter-Kauf, Lockridge Grindal Nauen P.L.L.P., Minneapolis, MN, for Plaintiffs.

Elizabeth L. Deeley, Alexander E. Reicher, Melanie Marilyn Blunschi, Michael H. Rubin, Latham & Watkins LLP, San Francisco, CA, Andrew Brian Clubok, Pro Hac Vice, Susan E. Engel, Pro Hac Vice, Latham & Watkins LLP, Washington, DC, Serrin A. Turner, Pro Hac Vice, Latham & Watkins LLP, New York, NY, for Defendant.

ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS

William Alsup, United States District Judge

INTRODUCTION

In this data-breach putative class action, defendant Facebook, Inc. moves to dismiss the consolidated complaint pursuant to Rule 12(b)(1) and Rule 12(b)(6). The motion to dismiss is GRANTED IN PART AND DENIED IN PART .

STATEMENT

1. FACEBOOK , INC.

Defendant Facebook, Inc. operates an online social network where users stay in touch with family and friends, share their thoughts, and connect with each other (Dkt. No. 76 ¶¶ 1, 9–11). This primarily happens on the user's "Timeline" — a space to share experiences by posting various forms of content, such as comments, photos, and videos (Bream Decl. ¶¶ 7, 8). Facebook's platform is widely used throughout the world. Facebook has approximately 2.2 billion users and an annual revenue of $ 40.65 billion (Dkt. No. 76 ¶¶ 1, 11).

Facebook primarily generates its revenue by monetizing its users' information. None of its 2.2 billion users pay Facebook money (id. ¶ 10). Instead, approximately 96% of Facebook's revenue "originate[s] from the sale of targeted advertising based on the extensive data Facebook collects, analyzes, and maintains about its users" (id. ¶ 11). In addition, the collected information enables the platform technology to operate (id. ¶¶ 26, 28, 32).

At minimum, Facebook requires every user to share their "name, email address or mobile phone number, date of birth, and gender" (id. ¶ 26). In full, however, Facebook purportedly collects a much broader set of data, including:

all posts, photos and videos, all replies, likes and reactions, all friends and friend history, all games, every "follow" including individuals, event, activity, service, application, group, web sites, advertisements, all followers of the same, all messages exchanges, event RSVPs, all profile information (username, devices, authentication methods, recoverable email accounts and credentials, encryption settings, phone numbers, challenge response information, biometric information and settings, birth date, major events, employment, education, education history, personal preferences, "about me," religion and political preferences, work history, book preferences, fitness data, news feed preferences, musical preferences), GPS locations where messages, photos, and posts were made, all "pokes," all advertisements, all calls and messages and associated event logs, and all security and login information including all devices used to access Facebook.

(id. ¶ 126).

The collection and maintenance of all this information has impelled Facebook to provide some transparency as to its data-protection practices. To this end, two separate links posted on the website, entitled "Data Policy" and "Privacy Basics" contain representations as to what data are collected, what data are shared, and with whom (id. ¶¶ 38, 44). The links also include certain representations such as "Privacy Principles" where Facebook asserts "[w]e design privacy into our products from the outset," "[w]e work around the block [sic] to help protect people's accounts," and "[w]e are accountable" (id. ¶ 44).

Nevertheless, Facebook users' private information has not been protected. In 2007, Facebook's then-57 million users settled a class action suit which arose from Facebook's "privacy" practices for $ 9.5 million. The following year, Facebook exposed the birthdays of roughly 80 million users (id. ¶¶ 11, 47–50). Then, in 2011, Facebook settled with the Federal Trade Commission over charges that it had deceived users by "telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public" (id. ¶ 54 n.32) (quoting Facebook Settles FTC Charges that it Deceived Consumers by Failing to Keep Privacy Promises , The Fed. Trade Comm'n (Nov. 29, 2011), https://www.ftc.gov/news-events/press-releases/2011/11/facebook-settles-ftc-charges-it-deceivedconsumers-failing-keep). More recently, in 2015, the world learned that Cambridge Analytica had misused personal data from Facebook to generate targeted political advertisements. Facebook's relationship with Cambridge Analytica led to a political uproar. All this preceded the instant suit (Dkt. No. 76 ¶¶ 48, 58).

2. ACCESS TOKENS

"Access tokens" star in the instant data breach. When a Facebook user logs into Facebook with a specific username and password, that user can conveniently access Facebook again without being forced to re-enter that information. This ease-of-access is facilitated by the "access token" generated by Facebook for that user upon his or her first log-in. The access token operates as an automatic super password — an electronic object embedded with all of a users' security information — which allows a user to log in numerous times without typing out their username and password each time. Many companies, not just Facebook, use this tool to reduce barriers between the user and the online platform thereby increasing ease-of-access and efficiency (id. ¶¶ 81–83).

Facebook's access tokens, however, carry specific value. As stated in the consolidated complaint:

[o]nce a malicious actor is able to gain access to and compromise that user's access token, Facebook's lack of security and safeguards allowed that malicious actor to then use that access token to gain access to and compromise all tokens from that user's shared or connected web applications (i.e., those applications that utilize the "Facebook Login" system, such as Microsoft Azure cloud platform, SalesForce, etc.). Worse, that malicious actor could then reset all user permissions, passwords, and other safeguards (such as two-factor authentication) not only in Facebook, but also any third-party accounts that utilize Facebook's authentication login features and do so in such a manner that the user is not provided an alert or any other notification . From there, the malicious actor can syphon [sic] PII and other personal data from those accounts without hindrance. To prevent unauthorized users from eavesdropping, there is free software to validate the data transferred between the client browser and the application servers. Most hackers also utilize the free software as a simple method to detect and identify easy areas of exploit.

(Id. ¶ 110) (emphasis added).

Put simply, once a Facebook user's access token is compromised, all tokens from the user's shared or connected web applications (like Skype and Uber) purportedly become accessible. In addition, anyone with access to the token can reset all other user data permissions and steal the tokens of all connected applications without alerting the original user. Facebook's access tokens are allegedly the key to a breathtaking amount of online access (id. ¶¶ 99–101, 109).

Importantly, standard industry practice is for companies to limit the lifespan of the tokens. By contrast, Facebook allegedly designed its access tokens to never expire (id. ¶¶ 83, 106–109). With this background in tow, this order now turns to the events at issue.

3. THE DATA BREACH

On September 14, 2018, Facebook discovered it had a coding vulnerability related to its "View As" feature. The vulnerability revealed users' access tokens. Hackers accordingly stole the access tokens for 69,000 users. This led to the theft of a narrow set of information for 15 million worldwide users (2.7 million United States users) and a more comprehensive set of information for 14 million worldwide users (1.2 million United States users) (id. ¶¶ 84, 95).

The hacking began sometime after July 2017. The specific source of the vulnerability related to the internal coding of Facebook's "View As" feature. This feature permitted users to see what their own "Timeline" looked like to other users (id. ¶¶ 3, 88, 91, 94). To illustrate, if a teenage user wanted to see his own account from the perspective of his parents' account, the teenager would utilize this "View As" feature on his own account to "view" the account "as" his parents. This would enable the teenager to see firsthand what information his parents could and could not see on the teenager's account.

Momentarily stepping outside the consolidated complaint, Facebook has provided a declaration with step-by-step information of how the attack took place. Per the declaration, when a user's "Timeline" would be accessed in the "View As" mode, an access token of the other user would generate in the Hypertext Markup Language ("HTML") of the web page. The HTML is the part of the webpage that says "www.Facebook.com." So, when the teenager viewed his account through the eyes of his parents' account, his parents' access token generated in the part of the webpage that says "www.Facebook.com." These attackers could then utilize the parents' access token to access the parents' account and repeat the identical process with the...